Daniel Pittman writes: > Dmitry V'yal <akam...@gmail.com> writes: > > Evan Hisey wrote: > >> You forgot a biggy bonus of puppet, no matter what size you support. I > >> have several small ( as in 1-3) groups of very different machines, > >> and with puppet I can rebuild them very quickly on when they need to > >> be replaced or upgraded. doing it by hand takes most of a day or 2. > > > > That's great! And what to do with various passwords, private keys and so > > on? > > Should I put them in manifest? > > That is a hard call, and there is probably no single answer. > > For what it is worth, we decided that this was an acceptable security risk in > some places (database passwords containing unclassified data only), and > unacceptable in others (SSL certificate private keys). > > We presently distribute the later set, the keys, only through manual action, > although you can use puppet-specific restrictions to serve them up safely > from > external files.
What we decided to do at our site was create a separate version control repository for secure data (passwords, certificate keys, private ssh keys) that is not network-accessible and resides only on the puppetmaster host. The repository is checked out under /etc/puppet/secure and mounted as a separate module in fileserver.conf, so that manifests can refer to files using specifications like "puppet:///secure/foo.key". Then Puppet can automatically distribute the security-sensitive files but they don't live in the main repository which is widely distributed (working copies live on all the admin workstations, for example). The minor disadvantage is that you have to log in to the puppetmaster host to actually change anything in the secure repository, but things don't change in there very often. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
